T1001.001

Junk Data

Adversaries may add junk data to protocols used for command and control to make detection more difficult. By appending, prepending, or inserting random or meaningless data into C2 communications, adversaries prevent trivial signature-based detection. Examples include SUNBURST appending junk bytes to HTTP C2, P2P ZeuS adding junk data to UDP peer communications, Downdelph inserting pseudo-random characters between meaningful characters in C2 requests, and GoldMax generating decoy traffic to surround malicious traffic. This technique is primarily a network-level obfuscation method, making it challenging to detect purely through host-based telemetry.

Microsoft Sentinel / Defender

kusto

// T1001.001 - Junk Data C2 Obfuscation Detection
// Approach 1: Detect unusually large HTTP payloads with low entropy content ratio (junk padding)
// Combines DeviceNetworkEvents with process context to identify suspicious beaconing patterns
let SuspiciousProcesses = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe", "dllhost.exe"]);
let KnownC2Ports = dynamic([80, 443, 8080, 8443, 4444, 4445, 1080, 3128]);
// Detect high-frequency beaconing with consistent intervals (C2 with junk padding)
let BeaconingActivity = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("ConnectionSuccess", "HttpConnectionInspected")
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| where RemoteIPType == "Public"
| where RemotePort in (KnownC2Ports)
| summarize 
    ConnectionCount = count(),
    BytesSentTotal = sum(SentBytes),
    BytesReceivedTotal = sum(ReceivedBytes),
    UniqueRemoteIPs = dcount(RemoteIP),
    ConnectionTimes = make_list(Timestamp, 500),
    RemoteIPs = make_set(RemoteIP, 20),
    RemotePorts = make_set(RemotePort, 20)
    by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId
| where ConnectionCount >= 5
| extend AvgBytesSent = BytesSentTotal / ConnectionCount
| extend AvgBytesReceived = BytesReceivedTotal / ConnectionCount
// Flag processes with high volume outbound (possible junk padding) or very consistent small sends (beaconing)
| where (AvgBytesSent > 5000 and AvgBytesReceived < 500) or (ConnectionCount > 20 and AvgBytesSent between (100 .. 2000))
| project Timestamp = now(), DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
         ConnectionCount, AvgBytesSent, AvgBytesReceived, UniqueRemoteIPs, RemoteIPs, RemotePorts;
// Approach 2: Detect DNS queries with unusually long or high-entropy labels (junk data in DNS C2)
let SuspiciousDNS = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "DnsConnectionInspected" or ActionType == "DnsQueryResponse"
| where isnotempty(RemoteUrl)
| extend DomainLabel = tostring(split(RemoteUrl, ".")[0])
| extend LabelLength = strlen(DomainLabel)
| extend SubdomainDepth = array_length(split(RemoteUrl, "."))
// Long subdomains with random-looking characters are indicative of junk data padding in DNS C2
| where LabelLength > 20 or SubdomainDepth > 6
| where RemoteIPType == "Public"
| summarize
    QueryCount = count(),
    UniqueDomains = dcount(RemoteUrl),
    SampleDomains = make_set(RemoteUrl, 10)
    by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where QueryCount >= 3 or UniqueDomains >= 3;
// Combine both signals
BeaconingActivity
| union SuspiciousDNS
| sort by Timestamp desc

medium severity low confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Legitimate software telemetry agents that send large amounts of diagnostic data to cloud endpoints with asymmetric request/response sizes
CDN or streaming applications making many small HTTP requests with varying payload sizes that resemble beaconing patterns
DNS-based load balancing or service discovery mechanisms that use long subdomains for routing (e.g., AWS, Azure service endpoints)
Software update mechanisms that poll update servers frequently with small request payloads
Security monitoring agents (EDR, DLP) that beacon home to management infrastructure on standard ports

Splunk

spl

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  | eval process_name=lower(mvindex(split(Image, "\\"), -1))
  | eval is_suspicious_proc=if(match(process_name, "(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|svchost|dllhost)"), 1, 0)
  | where is_suspicious_proc=1
  | eval is_public_ip=if(NOT match(DestinationIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\.168\\.|127\\.|0\\.|::1|fe80)"), 1, 0)
  | where is_public_ip=1
  | eval is_c2_port=if(DestinationPort IN ("80", "443", "8080", "8443", "4444", "4445", "1080", "3128"), 1, 0)
  | stats count as ConnectionCount, dc(DestinationIp) as UniqueIPs, values(DestinationIp) as RemoteIPs, values(DestinationPort) as Ports, earliest(_time) as FirstSeen, latest(_time) as LastSeen by host, Image, CommandLine, is_c2_port
  | where ConnectionCount >= 5
  | eval detection_type="beaconing_candidate"
  | table _time, host, Image, CommandLine, ConnectionCount, UniqueIPs, RemoteIPs, Ports, detection_type, FirstSeen, LastSeen
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
  | eval query_lower=lower(QueryName)
  | eval label_count=mvcount(split(query_lower, "."))
  | eval first_label=mvindex(split(query_lower, "."), 0)
  | eval first_label_len=len(first_label)
  | eval has_hex_chars=if(match(first_label, "^[0-9a-f]{16,}$"), 1, 0)
  | eval has_random_chars=if(match(first_label, "[bcdfghjklmnpqrstvwxyz]{5,}"), 1, 0)
  | eval is_suspicious_dns=if(first_label_len > 20 OR label_count > 6 OR has_hex_chars=1, 1, 0)
  | where is_suspicious_dns=1
  | stats count as QueryCount, dc(QueryName) as UniqueDomains, values(QueryName) as SampleDomains, earliest(_time) as FirstSeen, latest(_time) as LastSeen by host, Image, QueryName, first_label_len, label_count
  | where QueryCount >= 3 OR UniqueDomains >= 3
  | eval detection_type="suspicious_dns_junk_label"
  | table _time, host, Image, QueryCount, UniqueDomains, SampleDomains, first_label_len, label_count, detection_type, FirstSeen, LastSeen
]
| eval alert_score=case(
    detection_type="beaconing_candidate" AND ConnectionCount > 50, 3,
    detection_type="beaconing_candidate" AND ConnectionCount > 20, 2,
    detection_type="suspicious_dns_junk_label" AND UniqueDomains > 10, 3,
    detection_type="suspicious_dns_junk_label", 2,
    true(), 1
  )
| sort - alert_score, - _time

medium severity low confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Sysmon Event ID 3 (Network Connection) Sysmon Event ID 22 (DNS Query)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software telemetry agents making frequent connections with varying payload sizes to cloud backends
DNS-based CDN routing using long subdomains (AWS CloudFront, Azure Traffic Manager, Akamai)
Antivirus or EDR solutions performing frequent cloud lookups with long hash-based subdomain queries
Chat/collaboration applications (Teams, Slack) that use long subdomains for routing or session management
Software update services performing frequent version checks on standard HTTP/HTTPS ports

IBM QRadar (AQL)

sql

-- Approach 1: High-frequency beaconing from suspicious processes on known C2 ports
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  sourceip,
  destinationip,
  destinationport,
  sourceprocessname,
  COUNT(*) AS connection_count,
  SUM(LONG(eventpayload)) AS total_bytes_approx
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND LOWER(sourceprocessname) MATCHES '(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|svchost|dllhost).*'
  AND destinationport IN (80, 443, 8080, 8443, 4444, 4445, 1080, 3128)
  AND NOT INCIDR(destinationip, '10.0.0.0/8')
  AND NOT INCIDR(destinationip, '172.16.0.0/12')
  AND NOT INCIDR(destinationip, '192.168.0.0/16')
  AND NOT INCIDR(destinationip, '127.0.0.0/8')
  AND starttime > (NOW() - 86400000)
GROUP BY sourceip, destinationip, destinationport, sourceprocessname
HAVING connection_count >= 5
ORDER BY connection_count DESC

UNION ALL

-- Approach 2: DNS queries with long junk-padded subdomains
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  sourceip,
  QIDNAME(qid) AS event_name,
  sourceprocessname,
  COUNT(*) AS query_count,
  COUNT(DISTINCT destinationip) AS unique_destinations
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) = 'Sysmon'
  AND QIDNAME(qid) LIKE '%DNS%'
  AND LENGTH(REGEXP_SUBSTR(destinationhostname, '^[^.]+')) > 20
  AND starttime > (NOW() - 86400000)
GROUP BY sourceip, sourceprocessname
HAVING query_count >= 3
ORDER BY query_count DESC

high severity medium confidence

Data Sources

QRadar SIEM Windows Security Event Log DSM Sysmon DSM DNS log sources

Required Tables

events flows

False Positives

Legitimate software update processes making periodic connections to vendor CDN infrastructure
Security scanners and vulnerability assessment tools generating high-frequency network connections
DNS-based load balancers using long CNAME chains with encoded tenant identifiers
Monitoring agents with heartbeat intervals producing consistent beaconing-like patterns

Sumo Logic CSE

sql

// Approach 1: Beaconing detection from suspicious processes
_sourceCategory=windows/sysmon OR _sourceCategory=WinEventLog/Sysmon
| where EventID = 3
| parse field=Image "*\\*" as img_path, process_name
| where process_name matches /(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|svchost|dllhost)\.exe/
| where !(DestinationIp matches /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/)
| where DestinationPort in ("80","443","8080","8443","4444","4445","1080","3128")
| timeslice 1h
| stats count as ConnectionCount, dc(DestinationIp) as UniqueIPs, 
         first(CommandLine) as SampleCommandLine,
         min(_messagetime) as FirstSeen, max(_messagetime) as LastSeen
         by Computer, process_name, DestinationPort, _timeslice
| where ConnectionCount >= 5
| sort by ConnectionCount desc
| fields -_timeslice

// Approach 2: DNS junk label detection
// Run separately
_sourceCategory=windows/sysmon
| where EventID = 22
| parse field=QueryName "*" as query_full
| parse regex field=query_full "^(?<first_label>[^.]+)"
| where length(first_label) > 20 OR 
        first_label matches /^[0-9a-f]{16,}$/ OR
        count(split(query_full, ".")) > 6
| stats count as QueryCount, 
         dc(QueryName) as UniqueDomains,
         values(QueryName) as SampleDomains,
         first(Image) as Process
         by Computer, first_label
| where QueryCount >= 3 OR UniqueDomains >= 3
| sort by QueryCount desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon via Sumo Logic collector Windows Event Logs

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=WinEventLog/Sysmon

False Positives

Automated software deployment tools making frequent connections during patch cycles
Browser-based applications with aggressive health check or telemetry intervals
CDN-hosted SaaS products using long subdomain routing labels for geo/tenant routing
Corporate proxy agents performing connection pooling that mimics beaconing patterns

Google Chronicle / SecOps

yaral

rule t1001_001_junk_data_c2_beaconing {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects T1001.001 Junk Data C2 obfuscation via beaconing from suspicious processes and DNS junk label queries"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1001.001"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-13"

  events:
    // Beaconing approach: repeated outbound connections from LOLBin processes
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.principal.process.file.full_path = /(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|svchost|dllhost)\.exe$/
    $e.target.ip != "10.0.0.0/8"
    $e.target.ip != "172.16.0.0/12"
    $e.target.ip != "192.168.0.0/16"
    $e.target.ip != "127.0.0.0/8"
    $e.target.port in (80, 443, 8080, 8443, 4444, 4445, 1080, 3128)
    $e.principal.hostname = $hostname
    $e.principal.process.file.full_path = $proc_path

  match:
    $hostname, $proc_path over 1h

  condition:
    #e >= 5
}

rule t1001_001_junk_data_dns_label {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects T1001.001 junk data in DNS C2 via anomalously long subdomain labels from suspicious processes"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1001.001"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-13"

  events:
    $dns.metadata.event_type = "NETWORK_DNS"
    $dns.principal.process.file.full_path = /(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|svchost|dllhost)\.exe$/
    // DNS question name with long first label (>20 chars before first dot)
    re.capture($dns.network.dns.questions.name, "^([^.]{21,})") != ""
    $dns.principal.hostname = $host
    $dns.principal.process.file.full_path = $dproc

  match:
    $host, $dproc over 30m

  condition:
    #dns >= 3
}

high severity medium confidence

Data Sources

Google Chronicle UDM Chronicle Endpoint Telemetry Windows event forwarding to Chronicle

Required Tables

UDM NETWORK_CONNECTION events UDM NETWORK_DNS events

False Positives

CI/CD pipeline agents making repeated webhook calls to build infrastructure during deployments
Endpoint management software (SCCM, Tanium) making frequent check-in connections from system processes
Applications using base64-encoded subdomain routing for multi-tenant SaaS platforms
DNS-based service discovery in Kubernetes or microservice environments with long service names

CrowdStrike LogScale (CQL)

cql

// Approach 1: Beaconing detection - high-frequency connections from suspicious processes
#event_simpleName=NetworkConnectIP4
| ProcessImageFileName = /(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|svchost|dllhost)\.exe$/
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| RemotePort in [80, 443, 8080, 8443, 4444, 4445, 1080, 3128]
| groupBy([ComputerName, ProcessImageFileName, CommandLine, RemotePort],
    function=[
        count(aid, as=ConnectionCount),
        count(RemoteAddressIP4, distinct=true, as=UniqueRemoteIPs),
        collect(RemoteAddressIP4, multival=true, as=RemoteIPs, limit=20),
        min(@timestamp, as=FirstSeen),
        max(@timestamp, as=LastSeen)
    ])
| ConnectionCount >= 5
| eval duration_minutes = (LastSeen - FirstSeen) / 60000
| eval avg_interval_sec = if(ConnectionCount > 1, duration_minutes * 60 / ConnectionCount, null())
// Flag consistent short intervals (beaconing) or high counts
| where ConnectionCount > 20 OR (avg_interval_sec > 0 AND avg_interval_sec < 120)
| sort(ConnectionCount, order=desc)
| select([ComputerName, ProcessImageFileName, CommandLine, ConnectionCount, UniqueRemoteIPs, RemoteIPs, RemotePort, FirstSeen, LastSeen, avg_interval_sec])

// Approach 2: DNS junk label detection
// Run as separate query
#event_simpleName=DnsRequest
| ProcessImageFileName = /(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|svchost|dllhost)\.exe$/
| DomainName = /./
| eval first_label = replace(DomainName, /\..*$/, "")
| eval first_label_len = length(first_label)
| first_label_len > 20 OR DomainName = /^[0-9a-f]{16,}\./
| groupBy([ComputerName, ProcessImageFileName],
    function=[
        count(DomainName, as=QueryCount),
        count(DomainName, distinct=true, as=UniqueDomains),
        collect(DomainName, multival=true, as=SampleDomains, limit=10),
        max(first_label_len, as=MaxLabelLen)
    ])
| QueryCount >= 3 OR UniqueDomains >= 3
| sort(UniqueDomains, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Falcon LogScale Falcon Data Replicator

Required Tables

NetworkConnectIP4 DnsRequest ProcessRollup2

False Positives

Falcon sensor itself or other EDR tools making frequent telemetry uploads with consistent intervals
Windows Update and Microsoft telemetry processes using svchost.exe for large payload transfers
Enterprise backup agents running through cmd.exe wrappers with scheduled high-frequency connections
Internal DNS resolvers using long CNAME chains that surface in DnsRequest telemetry

Last updated: 2026-04-13 Research depth: deep

References (15)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1001.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Junk Data

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections